New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[TODO]: CI - Assess if provenance: false
is still necessary
#3582
Labels
area/ci
kind/improvement
Improve an existing feature, configuration file or the documentation
stale-bot/ignore
Indicates that this issue / PR shall not be closed by our stale-checking CI
Comments
polarathene
added
area/ci
kind/improvement
Improve an existing feature, configuration file or the documentation
stale-bot/ignore
Indicates that this issue / PR shall not be closed by our stale-checking CI
labels
Oct 15, 2023
References of known/historical concerns related to this feature: Compute platforms that support containers:
Registries:
Docker CLI:
Other projects:
Docker / Buildx / BuildKit releases:
GHCR manifest example with unknown/unknowndocker manifest inspect ghcr.io/drwetter/testssl.sh:3.2 Outputs (one {
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.index.v1+json",
"manifests": [
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 862,
"digest": "sha256:619554481e9b41518277e294932b60b3390b8713ab6a638f5ef19e8f193379cc",
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 862,
"digest": "sha256:f89063c9b784240b4ed10ad459c3c89e43250ded3de9b06c7266dcabfe40e3ae",
"platform": {
"architecture": "386",
"os": "linux"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 862,
"digest": "sha256:5bf2938aba604da399c0ff43acf3eeb29c9206d89a6e599dbb6f8e4505664968",
"platform": {
"architecture": "arm64",
"os": "linux"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 862,
"digest": "sha256:da694c491a7151f2f56a7f6bd021e1f2f5790b6cee4ff042cafe0a65bad56767",
"platform": {
"architecture": "arm",
"os": "linux",
"variant": "v7"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 862,
"digest": "sha256:76f44fab69aa7e80a97e310eecd0188818386a5824fe7ea23f14e60d4c79ec21",
"platform": {
"architecture": "arm",
"os": "linux",
"variant": "v6"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 862,
"digest": "sha256:0b9c637422b5f60d39f1240056ffb2452e2e9ba2c6037efec101b8a6598e5818",
"platform": {
"architecture": "ppc64le",
"os": "linux"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 566,
"digest": "sha256:17c821e18a46d1aaf867e579d25a8891bf5d1a1532a530716dfdef7b36304667",
"platform": {
"architecture": "unknown",
"os": "unknown"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 566,
"digest": "sha256:f09d51401eb4d778b856e8d6cbb0fe9f25e9e13f4906f95ef126e4bbd05931e9",
"platform": {
"architecture": "unknown",
"os": "unknown"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 566,
"digest": "sha256:2be5fbbc48115d1bf3256f2b36e3fbdcad5de02f5a582024082acf0e450ae915",
"platform": {
"architecture": "unknown",
"os": "unknown"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 566,
"digest": "sha256:ef1808567f649b9d6c8021b36431ab97ae459a616749c5dee43c1597b0b3d5c3",
"platform": {
"architecture": "unknown",
"os": "unknown"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 566,
"digest": "sha256:b7ade340375c74877f80cd4c8a462e7965f892e4654fc11f6150bfbf98ac0d40",
"platform": {
"architecture": "unknown",
"os": "unknown"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 566,
"digest": "sha256:cdfdde55b992d4f2caa8c34309ea4ccae2bc9eb790d73d7d9058c8ea4d161c10",
"platform": {
"architecture": "unknown",
"os": "unknown"
}
}
]
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/ci
kind/improvement
Improve an existing feature, configuration file or the documentation
stale-bot/ignore
Indicates that this issue / PR shall not be closed by our stale-checking CI
Description
SLSA (about page):
A feature that provides additional insights / transparency into the image build process to establish more trust with users.
Earlier this year we had some CI issues with the
docker/build-push-action
upgrade (v3.3
), that was partially affected by Github Actions not having upgraded their Docker package to a 2023 release (v23+) in their CI runner VMs.Here is the relevant provenance section of that action today:
In particular the
BuildxInputs.hasDockerExporter(inputs.outputs, inputs.load))
line is calling this method fromdocker/actions-toolkit/buildx/inputs.ts
:provenance
input beingfalse
or unset instead of enabling the feature by default (this avoids a bug when the feature is not compatible with the BuildKit version AFAIK, but would otherwise enable implicitly if no explicitprovenance: false
was set).v3
series (introduced inv3.3.0
).v3.3.1
release addressed this by reverting the breaking change via defaulting toprovenance: false
(even when the BuildKit version would support--provenance
).However v4 of
docker/build-push-action
restores the breaking change to useprovenance: true
as the default (introduced via this PR).context.ts
file displayed above shows, this remains the default in the current v5.--provenance
must remain explicit after v3 ofdocker/build-push-action
.It is noted that despite the problem in
v3.3
, the underlyingbuildx
version (and technicallybuildkit
too), is where this is introduced. Thus you'd still get the problem on deprecatedv2
releases ofdocker/build-push-action
which lack theprovenance
input to opt-out.The buildx
0.10.0
release notes do have a disclaimer regarding SLSA provenance being dependent upon OCI-compliant images and a known compatibility issue with registries.WIP
The text was updated successfully, but these errors were encountered: